FBI Formally Accuses North Korea Of The Sony Hack

from the h4x0r! dept

Just this morning, Tim Cushing (aka, Other Tim) wrote about how likely it was that the White House would make a statement today on the Sony hack, naming North Korea as the perpetrator and treating this all like a far bigger deal than they probably should be. However, the FBI beat them to the punch, becoming the first alphabet agency to formally accuse North Korea of being 56th in line in the great 12 year hackathon that's been Sony's corporate networks.

As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:

-Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.

-The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.

-Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

Since the rumors that a formal accusation were on the way first began, the question on everyone's mind has been exactly what evidence would be used to draw that conclusion. As it turns out, based on what the FBI is releasing, it seems fairly thin. Their press release makes it sound like the attacks upon which they're drawing similarities are significantly alike, when a great deal of other reporting indicates that they simply use the same hacking software available on the black market and are routing through some locations known for their use by hackers. The similarity between the Sony attack and the attack on South Korea has more to do with the above plus the timing. The accusation that the hacks used were directly developed by North Korea are interesting, but meaningless without actual evidence. Simply saying it doesn't make it so.

Regardless, even if North Korea does prove to have been responsible, there's no excuse for saying things like:

North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States. Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves.

While I'm generally loathe to blame a victim, when that victim takes so lax an attitude toward its own security as to be hacked roughly five times a year and still not bother to implement basic password policies, what else am I supposed to do? This doesn't show the grave, mega-scary, super-threat of cyber-terrorism. It shows that Sony has some exceptionally lazy security and IT people. As for the attack posing a threat to a freedom of expression, well, we have Sony's cowardice and the cowardice of the theater chains for that. It's unbelievable that companies operating within the American system should self-censor this way. It's surrender of the mind and the thought. It's the same thing as the Danish cartoons and Salman Rushdie. Sony and the theaters are allowed to self-censor and to deprive the American people of the movie, but that doesn't make it okay.

You should expect to see the White House touting the FBI's report as gospel and to rattle several sabers in the direction of Pyongyang, for all the good it will do. Giving in to a regime that can't manage to feed its own people seems like a mistake to me, but what do I know?

Update: And, almost as this post was finished being written, President Obama appeared before the press to condemn the attacks. He also indicated that it was the wrong move for Sony to censor the movie. In fact, he suggested that Sony should have consulted with the administration to assess the threat. Both comments, of course, are quite easy to make now that it's Friday and the decision cannot be reversed.

Really, Sony gets a bit to much flak for "caving to terrorist" over this.

First, they already had theater chains dropping the movie over the threats which largely forced their hand. If a bunch of their distributors won't release it, they're pretty much forced to choose to either have an extremely haphazard release of the movie, hurting it's potential profitability at the box office, or "cancel" the release and wait to do something with it later. They picked the second option, which financially is probably the better option for them.

We 've already seen them start to take damage from what's been released thus far. The slim chance that not releasing the movie will result in fewer embarrassing data releases is probably worth quite a bit to them at the moment. The movie release can easily wait until they've had more time for the fallout from the hack to settle, and people are no longer sitting around waiting for the next Sony embarrassing revelation.

Re: "thin"?

Government is Gaming the Public

I've worked as a public servant and seen time and time again how the government will make an issue out of some event and use it to pass legislation that will in the end be bad for the general public.

The image I imagine is of some power hungry bureaucrats sitting around a table and one dude is greedily rubbing his hands together and with a sly look says, "This SPE hack is just the catalyst we need to pass our ____ legislation."

Fill in the blank with PIPA, SOPA, government drone, or any other intrusive government legislative action.

Re: Government is Gaming the Public

Yes! I see the Republican Party as behind this in order to set up key issues for the 2016 election. They are covered by plausible deniability. After all, who could possibly believe the Republican Party is behind a massive hack claimed by the Guardians Of Peace (GOP). It is too transparent. Unless, it is the Democratic Party in a long con aimed at discrediting the Republicans. Although, I suppose the DPRK could be behind it but doxing doesn't seem to be their style. Who's style is that?

This is why I have trouble with politics. There is so much effort put into maintaining power and discrediting opponents. Why can't people just look for real solutions to problems. This is why I am a nerd and not a politician.

Please have some evidence before blaming "lazy" IT. It is equally likely that management is loathe to have to learn more than one four-letter password, or has the requirement to not implement a security feature that would perceptibly change their world in any way (including icon colors). And is equally loathe to spend money on products which may improve security posture.

Re:

There's some truth in this: a lot of security disasters happen not because IT staff are stupid or careless, but because management ORDERS them to do things that are stupid or careless. I know: been there, done that, got fired for refusing, successor did it (of course), and less than a year later they paid for it dearly. It's a pretty common pattern.

Re: Re:

"Incidentally, it's not necessary spend money on security products to have a reasonably secure operation"

This is something that is essentially impossible to get many companies to understand. I think it's because they don't understand what "security" actually is. There is no technological magic bullet that will make you secure, no matter how much you spend. Security comes from behavior, not technology.

huh! Obama didn't and still isn't condemning the attacks by the NSA, CIA, FBI and anyone else who was/is spying on citizens in and away from the USA, including the governments of nations supposedly allies to the USA!!funny how when it does it, there's nothing wrong but when any other nation does the same thing, it's the most despicable act going, throwing doubt on to relationships between the nations, whether already strained or not!!

Re: Expanding on the statement

This hack looks like a false flag from the beginning. What sets this hack apart from the South Korean disk wiper hack, is how loudly the hackers have taunted their victim.

Almost every single nation-state hack I've seen, attempts to be stealthy and low key. Nothing about the Guardians of Peace hack is low key.

The Sony hack looks like it was carried out by a hacking collective. A hack for the lolz if you will. Honestly, who justifies an attack by saying it's about a comedy movie? Certainly not nation state hackers.

I'm disappointed in the White House and FBI's detective skills. Either they truly are ignorant, and think It's N. Korea. Or they're using N. Korea as a scapegoat, in order to push cyber-security legislation that will make no one safer, and end up making everyone less secure from hackers by sharing private customer information openly for the hackers to steal.

Gravest threats are merely window dressing as an excuse to take some more supposed freedoms of it's citizens. Sony is not an American company.

Further Sony is getting a little just payback for it's rootkit it hoisted off on the public unannounced. Sony dropped the movie premier because it is scared to death that these hacks will reveal something it doesn't want the public to know and doesn't want to deal with.

Hackers have no gain if they can't use the info they took. So it will come out sooner or later. Sony will never be able to appease them forever.

In the meantime a Canadian movie theater has said it will show the movie. So at some time it will be available to download. Just a matter of time. I personally never planned to see this movie as it is just not something I am interested in, even with the hype. All the hype will not improve the movie's quality.

Rootkit

I haven't figured it out yet, why does the movie getting pulled have to do with the hack? Wasn't it someone threatening violence on theaters if the movie played? Couldn't that have been done with the Sony Hack never occurring?

Re:

While the need to protect sensitive sources and methods precludes me from sharing all of the relevant information information, One of the reasons "The Interview" was pulled from theaters is because the ultra-secret self-destruct codes for all of the MPAA approved digital projection systems in the US are contained in the compromised "passwords" folder - Apparently, all of the codes were cunningly set to "12345", which is the kind of code an idiot would use on his luggage, but I digress...

The economic fallout alone - Which the MPAA estimates at a minimum of $1 billion / theater - from the use of the self destruct codes would end civilization as we know it.

Re:

Innocent Vs Guilty

I'm sure that the "truth" will be exposed soon. This type of hacking can be done by any expert hacker, they wouldn't just "hack" without having a solid plan to get away with it, especially knowing they may have the FBI up on their tail.

Re: One question

Maybe they're too embarrassed about it?

I mean, given how pathetic Sony's security was and is, hacking them isn't exactly something to be overly proud of. It would be like someone bragging about their 'awesome lockpicking skills' for breaking into a building that had the key to the front door on a nail right next to the door.

Tin Foil hat time.

I don't trust that the US would know their own ass from a hole in the ground. I would not be too hard for enough hackers to stage and attack from any nation with enough effort. A line of code matching shit means nothing.

Now... for my tin foil hat routine... I am getting closer and closer to thinking that the US itself would stage and attack on Sony for some BS reason, maybe it was a bet? and made it look like a turd muffin country did it. Multiple benefits can be had.

1. Scare more stupid and cowardly citizens into letting the goobermint take more liberties/privacy away in the name of safety.

2. Drum up public support for exploding accused nation.

3. Reap kudos from the chicken shit population, which is circular with #1.

Hell, maybe Israel is not feeling very trusting with the US and pull this shit off to sucker someone else into handling a turd muffin nation, but it would make more sense if it was Iran on the hook... then again... South Korea anyone?

limiting liability

don't most insurance coverages have exceptions for "acts of God [sic], war, ...". seems Sony is using govt not only to change the subject from their ineptitude but covering their liability ass as well.

Publicity Stunt?

Sorry for being late, been off line.

This Sony thing smacks me as a big publicity stunt. Buying off Washington is merely pocket change for Sony. But the free advertizing, in all the hype, is priceless. I'm betting that the movie will be released as normal, quite soon.

Not, of course, that I will waste my money.

Just in case I'm wrong, it's happened before. I must congratulate North Korea on their restrained response. Remember, the USA sends predator drones and hellfire missiles against those they don't like. N. Korea's response is rather tame.

Many people learn that free speech has repercussions. Bad mouth your boss online and expect something unpleasant. Sony is just learning that they too have limitations!

Look! Over there! Behind you!! he he he he he he he

False Flag Warning.

All the evidence that has been presented "proving" North Korea as the culprit, would also be evidence of a CIA false flag operation, since anyone "in the know" could have used these same code snippets, hacker wares and tech resources, to pull off this attack, including and especially the CIA, NSA, FBI and other less know secret federal agencies of the USG.

And the rationale behind the USG doing a false flag operation to make the public think that NK is behind it is simple:

"North Korea’s attack on SPE reaffirms that what we are dealing with now can only be described as the cyber-war equivalent of the jetski level in Battletoads."

To get more public support and taxpayer funding and new spy-enabling legislation for the on-going Cyber War that the USG is already operating, by "reaffirming" that the FUD is really for really real, honest injun!!!!

And, by screaming Evil Korean Empire and Global Cyber War at the top of their lungs, they also drown out all the public discourse about the actual content of the material taken from Sony's servers, concerning their on-going bribery of Attorneys General and their assault on Google and the Internet in general.

Giving all the above, I would say that the chances of this being a CIA op is likely 10 times greater than that of it being a completely Korean op.

Then again, one cannot rule out the idea that its a joint effort by the USG and the Korean Government either, since almost all visible animosity between foreign governments is purely public relations, as their goals of mass surveillance and population control are identical nation to nation.

Starting an international cyber war would easily benefit the spy agencies and corporate interests of every nation on earth (especial five eyes nations), as the public would then be called upon to foot the bill fully, as it does for any declared war, and the kid gloves would come off and the surveillance state would be a legally guaranteed sure thing.

The constitution would be completely cancelled. Legally. For the war effort. Once again.

Re: Look! Over there! Behind you!! he he he he he he he

And, by screaming Evil Korean Empire and Global Cyber War at the top of their lungs, they also drown out all the public discourse about the actual content of the material taken from Sony's servers, concerning their on-going bribery of Attorneys General and their assault on Google and the Internet in general.

The mass media corporations shout the same phony tale. To the extent that the wikipedia article (that is based on quotes from the mass media) doesn't mention any wrongdoing by Sony. Only celebrity gossip and other fluff!

Re: Re: Re: Look! Over there! Behind you!! he he he he he he he

Someone is working very hard to make this about North Korea, and not about buying attorney generals. If the media cartels is able to direct attention towards a movie instead of their wrong doing they will be happy.

When the distraction is pushed to this extent, it is almost a given that the Wikipedia article reflects this. I expect the Wikipedia article to improve. Already Sonys lax security is mentioned.

TORONTO — The satirical comedy The Interview put the U.S. firmly in the crosshairs of the North Korean regime and sparked a cyber-attack on California-based Sony Pictures and threats of terrorism on U.S. soil.

But what Kim Jong-un has seemingly overlooked — or chosen to ignore — is the fact that Canada is largely responsible for The Interview. . . .

...lack of sufficient coffee no doubt...

Ooops. Wrong quote there.

Then again, since I think it is a false flag op, perhaps the "Jetski level in Battletoads" is a far more appropriate phrase than "... pose one of the gravest national security dangers to the United States." :)

Sony attacks

Real boon for the security people. Without any risk to the public, the North Korean operatives are flushed out into the open, and our security people have an opportunity to assess both their capabilities and at least a chance to identify their operatives.If I were still in security, I would be popping a bottle of champagne.

Credit where credit's due?

This doesn't show the grave, mega-scary, super-threat of cyber-terrorism. It shows that Sony has some exceptionally lazy security and IT people.

I want to believe that's unjustified. Everything I've read points to Sony being exceptionally cheap, resenting having to actually employ sufficient staff! Perhaps they had good people, but they had no-where near enough to handle the operation. Am I mistaken? Did they have enough people with the necessary skills, and they got lazy? Where's the proof?

I really think the movie should still be released. Maybe not in theatres but through some other medium. As another article on the subject I read talked about, this will just set a precedent for future hackers. If you can silence one of the biggest companies in the US through a hack, what's to stop hackers in the future from taking down other big corporations when they are not happy with something.

Re:

The American conception of free expression comprehends both the right to speak—and the right not to speak. Compelled speech is as much an infringement as compelled silence.

Sony Pictures parent company may be in the best position to determine whether releasing the movie would cause an utterly intolerable loss of face for DPRK leadership.

In any event, whether or not they are truly in the best position to assess the cultural impact of the movie—in the end, it is up to the moviemakers to decide whether to speak or remain silent. They have the final word.

With the unintended transparancy, all this has taught me is that we need MORE "sony" hacks not less......until their not needed, which depends on these corporate governments getting some sense of a moral compass IN ALL FIELDS, because just even ONE bad apple will ruin the crop

Media strategy

After Sony pulled The Interview and the hackers declared victory, it left one question: If the hackers were so interested in getting release of The Interview canceled, then why hadn't they made that clear from the beginning? Or, put another way, why did they spend two weeks leaking embarrassing emails sent by celebrities, rather than shifting immediately to putting pressure on Sony over The Interview?

Please define "gravest threat"

Like other people are saying, how does the FBI define "gravest threat"?Some hackers hacked into an insecure *private* company, threatened "something, something, movie theaters" and suddenly this is a "grave threat".

But that's good- keep up the hyperbole and soon everyone will be so dulled by every "gravest threat" that no one will listen.It's almost like they've never heard the story about the boy who cried wolf.

On the other hand, this is excellent cover to move away from the torture report.

We always like to blame others....

It's so easy to point the finger and in serious situations like the Sony hack we need closure, we want to blame someone. It's a natural human thing, I think if we want to be proactive in the future we need to get past the idea of everything needs to be blamed on something.